approaches for designing flexible mandatory system security policies trent jaeger ibm research july...
Post on 21-Dec-2015
219 views
TRANSCRIPT
Approaches for Designing Flexible Mandatory System Security Policies
Trent Jaeger
IBM Research
July 8, 2004
Linux 2.6 Has LSM and SELinux
Linux Security Modules Framework– Reference monitor interface w/i kernel
No problems with redundant parsing or races– Enforce mandatory access control (MAC)– Restricts discretionary permissions
Noteworthy LSM Features– Comprehensive MAC enforcement – 200+ hooks– Control access to 29 kernel data types
SELinux module– Supports comprehensive MAC– Enhanced Type Enforcement policy: roles, subject types, transitions, etc.– Large “example” policy (25,000+ permission assignments)– Requires customization to security target
Integrity
SubjectPerm
Subject
Perm
High SubjectObject Read
Low Subject
Object Write
Low Subject Can Modify
Input To High
SELinux & Integrity
Subject Type Subject
Attr AttrPerm Perm
Subject Type
Subject Attr
AttrPerm
Perm
sysadm_tuserdomain ttyfile
rw user_tty_device_trw
user_tuserdomain
ttyfilerw
user_tty_device_trw
Users can modify input to sysadm_t!!
SELinux Integrity Problem
file_typeread
sshd_tmpread
lastlogwrite
sysadm
sshd
logrotatelogfileread
setfiles
user_sshrw
lastlogread
sshd_tmprw
user_sshrw
user
httpdadmin
xdm
HighSubject
Type
AttrPerm Perm Perm Low
SubjectType
Conflict
Integrity Models
Biba Integrity– No high integrity subject may depend on low integrity data/code– Implication: No information flow from low integrity to high
LOMAC– The integrity level of a subject is equal to lowest integrity input– Implication: same as Biba
Caernarvon– The integrity level of a subject or object is specified by a range– Implication: Subjects may depend on/modify a range of integrity
levels Clark-Wilson
– Only high integrity Transformation Procedures modify high integrity data
– Implication: Can read low integrity data if they can upgrade or discard only
Our Integrity Goal
Use flexible policy expression– SELinux’s extended Type Enforcement policy– Defines all relevant policy decisions
Find integrity problems– Information flows that satisfy Biba are permitted– “Resolve” others – remove or manage (Clark-Wilson)
Compute information to assist in resolution– Find problems: Minimal cover set– Identify solutions: Resolutions– Determine solutions: Impact
Minimal Cover Set for Integrity Violations
Subject Type Subject
Attr AttrPerm Perm
Subject Type
Perm
Subject-PermissionAssignment
sysadm_tuserdomain ttyfile
rw user_tty_device_trw
Minimal Cover Set
file_typeread
sshd_tmpread
lastlogwrite
sysadm
sshd
logrotatelogfileread
setfiles
user_sshrw
lastlogread
sshd_tmprw
user_sshrw
user
httpdadmin
xdm
HighSubject
Type
AttrPerm Perm Perm Low
SubjectType
ConflictS-P Assign S-P Assign
Integrity Resolutions
Remove Subject Type or Object Type Reclassify Subject Type of Object Type Change Subject Type-Permission assignment Clark-Wilson reads
– Allow reading of low integrity data that meet Clark-Wilson No dependency read (move file) Deny Object Access
– Track low integrity writes per object LOMAC Subject Type (sysadm)
– Reduce integrity level of subject when reading low integrity data
Example Resolutions
file_typeread
sshd_tmpread
lastlogwrite
sysadm
sshd
logrotatelogfileread
setfiles
user_sshrw
lastlogread
sshd_tmprw
user_sshrw
user
httpdadmin
xdm
HighSubject
Type
AttrPerm Perm Perm
ConflictS-P Assign S-P Assign
Exclude Subject Type
XLow
SubjectType
XNo Dep Read
Exclude Object TypeDeny Access
X
Resolution Independence
file_typeread
sshd_tmpread
lastlogwrite
sysadm
sshd
logrotatelogfileread
setfiles
user_sshrw
lastlogread
sshd_tmprw
user_sshrw
user
httpdadmin
xdm
HighSubject
Type
AttrPerm Perm Perm
ConflictS-P Assign S-P Assign
LowSubject
Type
X
Resolution Impact
Basic resolution impact – Number of conflicts that result from a flow
assignment or node
Real resolution impact– Number of conflicts that are eliminated by removal
of an assignment or node
Changes on Extremes Have Bigger Impact– Subject Type, Object Type changes– Permission assignment is generally low impact
Policy Design Tool: Gokyo
Load entire SELinux example policy Find Biba conflicts in SELinux policy Display conflicts in terms of minimal cover set Compute basic impacts for nodes and assignments Enable expression of resolutions and re-evaluation Resulting policies provide Clark-Wilson integrity
– Assuming high integrity applications meet assurance requirements
– Assuming sanitization either discards or upgrades low integrity data
Does not fix SELinux module to enforce resolutions
Gokyo Resolution
file_typeread
sshd_tmpread
lastlogwrite
sysadm
sshd
logrotatelogfileread
setfiles
user_sshrw
lastlogread
sshd_tmprw
user_sshrw
user
httpdadmin
xdm
HighSubject
Type
AttrPerm Perm Perm
ConflictS-P Assign S-P Assign
LowSubject
Type
X
XX
XX
Policy Design Results
1 Biba constraint (no flow from low to high) 36 TCB subject types (high integrity subjects) 83 excluded subject types (low integrity)
– All other subject types are assumed low 4 object type excludes 1 LOMAC – sysadm 18 denials 83 sanitizations for 24 subject types
Other SELinux Policy Analysis Tools
Tresys– Apol - analyze an SE Linux policy (GUI). – SeAudit - analyze audit messages from SELinux (GUI). – SeCmds - analyze an SELinux policy and search/replace file
contexts. – SeUser - GUI and command-line "user manager" for SELinux. – SePCuT - customize an SE Linux policy (GUI).
MITRE– SLAT – Information flow policy expression
Hitachi– SELinux/Aid inspect, edit SELinux security policies and inspect log
messages
Summary
Comprehensive security is complex– Security requirements should be simple – Clark-Wilson integrity with assumptions is achievable
Resolution requires tools to support decision-making Modeling concepts enable focus:
– Minimal cover set– Resolution options– Resolution impact
And guide resolution process SELinux policy model requires adjustments to
achieve resolution
Summary (con’t)
Research Results– ACM TISSEC journal – Access Control Spaces– USENIX Security Conference – Configure TCB policy– ACM SACMAT – Underlying graph properties for resolution
Working Tool– Gokyo analysis infrastructure– Lacks GUI
Analysis Tools for Security– www.research.ibm.com/vali
Contact for more info– [email protected]
Resolution Issues
Low integrity side vs. High integrity side– Which is easier to address?
Big impact vs. Ease of understanding– Small, independent cases are easy– Small, cases with some overlap are not so hard– Extensive cases with overlap are difficult– Some assignments result in extensive overlap
How to apply graph theory?– Node weights based on basic or real impact?– Minimum cut across graph
Cost of making a change is the cost of the cut
Current Approach
Identify the minimal cover set for constraint conflicts– Subject-permission assignments
Compute the basic impact value of each cover assignment – Number of conflicts reachable
Compute number of subjects/objects impacted by cover assignment
– Examine remove/reclassification or LOMAC semantics
Compute individual node and assignment impacts on demand
Apply permission resolutions– Sanitize or deny
LSM
System Interface
Entry Points
ModuleAccessHook
AccessHook
AccessHook
Security-sensitiveOperation
Security-sensitiveOperation
Security-sensitiveOperation
Authorize Request?
Yes/No
Achieving Security Goals
Large Number of Security Decisions– Comprehensive vs limited security– 150+ decisions points defined by LSM
Defining the Security Goal– Least Privilege – Confidentiality– Integrity
Security Goal Specification– Simply-stated goals are often too restrictive (e.g., no low integrity data
dependencies)– Flexible languages enable complex goals, but too complex (e.g., access
matrix) Our Solution Aims:
– Comprehensive– Integrity– Use simple model as target, but enable flexible fine tuning